I mean, could there be a way for some hacker to install a key-logging spyware program along with an apparently innocent Extension?
Gnam

That is absolutely possible. Extensions can work in two ways... either by adding mere Javascript code to the browser, or by adding and calling an external routine in a DLL/EXE. So virtually anything is possible for the coder of an extension.

For this reason, beside performance reasons, I suggest you install only as many extensions as you really need, and only from sources that look reliable to you (like the official Firefox extension site).